Author: Christopher Parsons(Page 1 of 99)

I’m a Postdoctoral Fellow and Managing Director of the Telecom Transparency Project at the Citizen Lab in the Munk School of Global Affairs at the University of Toronto. I'm also a Principal at Block G Privacy and Security Consulting. My research interests focus on how privacy (particularly informational privacy, expressive privacy and accessibility privacy) is affected by digitally mediated surveillance and the normative implications that such surveillance has in (and on) contemporary Western political systems. I’m currently attending to a particular set of technologies that facilitate digitally mediated surveillance, including Deep Packet Inspection (DPI), behavioral advertising, and mobile device security. I try to think through how these technologies influence citizens in their decisions to openly express themselves or to engage in self-censoring behavior on a regular basis.

The Government of Canada has historically opposed the calls of its western allies to undermine the encryption protocols and associated applications that secure Canadians’ communications and devices from criminal and illicit activities. In particular, over the past two years the Minister of Public Safety, Ralph Goodale, has communicated to Canada’s Five Eyes allies that Canada will neither adopt or advance an irresponsible encryption policy that would compel private companies to deliberately inject weaknesses into cryptographic algorithms or the applications that facilitate encrypted communications. This year, however, the tide may have turned, with the Minister apparently deciding to adopt the very irresponsible encryption policy position he had previously steadfastly opposed. To be clear, should the Government of Canada, along with its allies, compel private companies to deliberately sabotage strong and robust encryption protocols and systems, then basic rights and freedoms, cybersecurity, economic development, and foreign policy goals will all be jeopardized.

This article begins by briefly outlining the history and recent developments in the Canadian government’s thinking about strong encryption. Next, the article showcases how government agencies have failed to produce reliable information which supports the Minister’s position that encryption is significantly contributing to public safety risks. After outlining the government’s deficient rationales for calling for the weakening of strong encryption, the article shifts to discuss the rights which are enabled and secured as private companies integrate strong encryption into their devices and services, as well as why deliberately weakening encryption will lead to a series of deeply problematic policy outcomes. The article concludes by summarizing why it is important that the Canadian government walk back from its newly adopted irresponsible encryption policy.

A Predator In Your Pocket: Executive Summary

Persons who engage in technology-facilitated violence, abuse, and harassment sometimes install spyware on a targeted person’s mobile phone. Spyware has a wide range of capabilities, including pervasive monitoring of text and chat messages, recording phone logs, tracking social media posts, logging website visits, activating a GPS system, registering keystrokes, and even activating phones’ microphones and cameras, as well as sometimes blocking incoming phone calls. These capabilities can afford dramatic powers and control over an individual’s everyday life. And when this software is used abusively, it can operate as a predator in a person’s pocket, magnifying the pervasive surveillance of the spyware operator.

Intimate partner violence, abuse, and harassment is routinely linked with efforts to monitor and control a targeted person. As new technologies have seeped into everyday life, aggressors have adopted and repurposed them to terrorize, control, and manipulate their current and former partners. When National Public Radio conducted a survey of 72 domestic violence shelters in the United States, they found that 85% of domestic violence workers assisted victims whose abuser tracked them using GPS. The US-based National Network to End Domestic Violence found that 71% of domestic abusers monitor survivors’ computer activities, while 54% tracked survivors’ cell phones with stalkerware. In Australia, the Domestic Violence Resources Centre Victoria conducted a survey in 2013 that found that 82% of victims reported abuse via smartphones and 74% of practitioners reported tracking via applications as often occurring amongst their client base. In Canada, a national survey of anti-violence support workers from 2012 found that 98% of perpetrators used technology to intimidate or threaten their victims, that 72% of perpetrators had hacked the email and social media accounts of the women and girls that they targeted, and that a further 61% had hacked into computers to monitor online activities and extract information. An additional 31% installed computer monitoring software or hardware on their target’s computer.

Spyware that possesses powerful surveillance capabilities are routinely marketed to consumer audiences to facilitate intimate partner surveillance, parent-child monitoring, or monitoring of employees. When these powerful capabilities are used to facilitate intimate partner violence, abuse, or harassment, we refer to such spyware as stalkerware.

Across a range of use-cases, spyware can easily transform into stalkerware. Perhaps most obviously, spyware that is explicitly sold or licenced to facilitate intimate partner violence, abuse, or harassment, including pernicious intrusions into the targeted person’s life by way of physical or digital actions, constitutes stalkerware by definition. However, spyware can also operate as stalkerware when surveillance software that is sold for ostensibly legitimate purposes (e.g., monitoring young children or employees) is repurposed to facilitate intimate partner violence, abuse, or harassment. To be clear, this means that even application functions which are included in mobile operating systems, such as those which help to find one’s friends and colleagues, can constitute stalkerware under certain circumstances.

“The Predator in Your Pocket: A Multidisciplinary Assessment of the Stalkerware Application Industry” is a report that was collaboratively written by researchers from computer science, political science, criminology, law, and journalism studies. As befits their expertise, the report is divided into several parts, with each focusing on specific aspects of the consumer spyware ecosystem, which includes: technical elements associated stalkerware applications, stalkerware companies’ marketing activities and public policies, and these companies’ compliance with Canadian federal commercial privacy legislation.

Part 1 discusses the harms which are associated with a person being targeted by stalkerware, the full range of marketed capabilities associated with such malicious software, and lays out our justification for conducting research into a small handful of companies: in short, we found that the following companies appeared to be the most popular in the commercial markets in Canada, the United States, and Australia, and so we directed our resources on examining:

The rest of Part 1 provides a literature review for the subsequent Parts of the report, and makes clear where our research is meant to fill gaps in the published literature, or otherwise to reconfirm or retest results which have been published by other researchers. We posed a series of research questions based on assessments of relevant disciplinary literatures which are taken up in each of the following Parts of the report.

Part 2 undertakes a technical assessment of specific stalkerware applications. We focused on Android applications because Android-based stalkerware involves actually installing malware on a targeted person’s devices. This process stands in contrast to stalkerware for iOS, which routinely depends on obtaining a targeted person’s iCloud password to exfiltrate information for the person’s iCloud backups. In the course of our research, we examined network activity, measured protection from commercial anti-virus products as well as Google’s Play Protect system, and determined the extent to which stalkerware applications’ self-update mechanisms might expose targeted persons to digital security risks in excess of those exclusively associated with the violence, abuse, and harassment from the operator of the stalkerware. Emergent from this research, we found that:

Stalkerware we examined depends on intermediaries, principally located in the United States, Netherlands, and Hong Kong;

Google Play Protect can block stalkerware installation and remove installed stalkerware but it may not protect against the newest versions of stalkerware applications until a period of time after they are released; and

In Part 3, we evaluated how companies which sold stalkerware, and software which could be repurposed as stalkerware, marketed their products to prospective customers. We used marketing intelligence methods, as well as content analysis, to conclude that many of the companies studied were actively promoting their software for the purposes of facilitating stalking and, by extension, intimate partner violence, abuse, and harassment. More specifically, we found that:

One company, mSpy, encoded concealed HTML text which advertised spousal spying on their website as a way to make their products more easily discoverable by people searching for ways to conduct intimate partner surveillance;

Few companies significantly purchased Google Ads as part of their search engine optimization strategies, with the exception of mSpy;

The substance of paid Google Ads tended to favour the use of the tools for general spying, hacking, or tracking, and did not include adwords that might help persons targeted by stalkerware to detect or remove the respective companies’ software; and

Individual organic searches that related to the spyware companies in our sample overwhelmingly favoured terms that identified the general use of the tools for spying, hacking, or tracking, and explicitly noted the circumvention of security features of products associated with the broader digital ecosystem.

Part 4 of the report undertook a content assessment of companies’ user-facing public policies. We interrogated companies’ respective privacy policies, terms of service documents, and End User Licence Agreements using a structured question set. This methodology let us better understand the policies which the companies adopted concerning the collection, processing, and storage of personal informationassociated with stalkerware operators as well as with the persons targeted by these operators. Emergent from this assessment, we concluded that the companies:

Failed to make it clear how the victims of stalkerware can have their data deleted when they have not meaningfully consented to the collection;

Failed to fully account for the personally identifiable information that can be captured when operating the software, thus circumventing the purpose and rationale of privacy policies to educate those affected by software to understand how it operates and collects such information; and

Failed to adopt policies to notify persons targeted by stalkerware in the case of data breaches, or even individuals contracting for the services.

In Part 5, we conducted an assessment of stalkerware companies’ business practices through the lens of Canada’s federal commercial privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Our assessment examined the extent to which companies are accountable to PIPEDA and their corresponding obligations. We ultimately concluded that:

Stalkerware companies should be found accountable under PIPEDA for the collection and processing of targeted persons’ personal data on the basis that the companies collect personal information, engage in relevant commercial activities, and collect, use, or disclose targeted persons’ data;

Given the potential for stalkerware companies to argue that they are exempt from PIPEDA’s obligations, the OPC should issue an interpretation bulletin or additional accompanying statement to the Guidelines for obtaining meaningful consent or Guidance on inappropriate data practices that specifically address stalkerware, or the use of spyware in abusive contexts. Additionally, Parliament should consider reforming commercial sector data protection legislation to close loopholes that we have identified;

Stalkerware companies ought to be obligated under PIPEDA to have extremely stringent data security practices based on the sensitivity of the data that they collect, process, disclose, and store; this pertains when these applications are used for ostensibly “legitimate” purposes and, as such, should apply to the collection of intimate data in the course of products being (re)purposed for stalkerware; and

PIPEDA and the European Union’s General Data Protection Regulation (GDPR) identify significant obligations that are imposed upon companies which sell products that have features enabling them to be used as stalkerware. The strength of the GDPR is ultimately found in the significant financial penalties which can be assigned to companies which fail to comply with the law. This is a strength that Parliament should add to PIPEDA by way of enabling the Privacy Commissioner of Canada to impose administrative monetary penalties and directly enforce its recommendations on companies.

Notably, PIPEDA only applies to the activities undertaken by business and organizations; as such, our assessment does not attend to the broader Canadian criminal law, tort law, privacy law, product liability, consumer protection, intellectual property, and intermediary liability law that are attached to the legality of using, creating and developing, selling, or facilitating the distribution of stalkerware applications. A broader legal assessment of stalkerware, as well as a set of recommendations for legal and policy reform to address some of the harms that stalkerware engenders, can be found in a companion report entitled “Installing Fear: A Canadian Legal and Policy Analysis of Using, Developing, and Selling Smartphone Spyware and Stalkerware Applications.”

In Part 6, we collect our major findings from our multidisciplinary research and propose a range of recommendations that would mitigate some of the harms associated with stalkerware companies’ practices and products. We focused on issues associated with consent, accountability and redress by jurisdiction, as well as data security and data protection. Specifically, our major findings included:

There were significant and disturbing failures by the companies in this study to obtain meaningful and ongoing consent, which seriously increased the risks and threats faced by those who operators target with stalkerware. This omission was further marked by failures to ensure that targeted persons could exercise their data access and deletion rights under Canadian privacy law;

While these companies were accountable under Canadian consumer privacy law, the limited ‘bite’ of that law may impede its ability—and, by extension, that of the Office of the Privacy Commissioner of Canada—to establish preemptive deterrence or ex post remedy and enforcement;

Not all of the companies in this study indicated that data security was a meaningful element in their privacy policies, despite Canadian law imposing data security obligations; and

Google’s Play Protect service in tandem with antivirus applications appeared, in initial testing, to relatively reliably identify stalkerware. However, more long-term testing is required to further confirm these results.

Ultimately, the availability of stalkerware applications is the result of broader social conditions that either lead developers to believe it is appropriate to create software designed for stalking or, alternately, to create applications for ostensibly legitimate purposes that can be repurposed to facilitate surreptitious intimate partner surveillance. The recommendations that we propose in this report might, if adopted, rebalance stark information asymmetries between the operator and target(s) of stalkerware. This rebalancing would address a core aspect of how stalkerware works as a tool to facilitate intimate partner violence, abuse, and harassment: by mitigating the potential for operators to engage in pervasive and surreptitious surveillance. Adopting these recommendations would also ensure meaningful and ongoing consent to any individuals that might use these tools for ostensibly legitimate purposes.

These recommendations are, however, only part of a much broader series of technical and social transformations which are required to remedy the wider, and pervasive, issues that give rise to forms of gender-related violence, abuse, and harassment. While the technical and legal remedies outlined in this report might provide important relief in the context of consumer spyware, the ongoing struggle to transcend patriarchal gender inequalities, misogyny, and corrosive societal norms around controlling, abusive, and violent behaviour directed at women, girls, non-binary persons, and children is an undertaking that requires critical and supportive communities at its core. We hope that this report provides insight into some of the deleterious manifestations of these norms, and that the structural recommendations which we provide help to alleviate some of these long-standing social harms.

Last week I appeared before the Standing Committee on Public Safety and National Security (SECU) to testify about Cybersecurity in the financial sector as a national economic security issue. I provided oral comments to the committee which were, substantially, a truncated version of the brief I submitted. If so interested, my oral comments are available to download, and what follows in this post is the actual brief which was submitted.

Introduction

I am a research associate at the Citizen Lab, Munk School of Global Affairs & Public Policy at the University of Toronto. My research explores the intersection of law, policy, and technology, with a focus on national security, data security, and data privacy issues. I submit these comments in a professional capacity representing my views and those of the Citizen Lab.

The State of Computer Insecurity

Canadian government agencies, private businesses and financial institutions, and private individuals rely on common computing infrastructures. Apple iPhones and Android-based devices are used for professional and private life alike, just as are Microsoft Windows and MacOS. Vulnerabilities in such mobile and personal computing operating systems can prospectively be leveraged to obtain access to data on the targeted devices themselves, or utilized to move laterally in networked computing environments for reconnaissance, espionage, or attack purposes. Such threats are accentuated in a world where individuals routinely bring their own devices to the workplace, raising the prospect that personal devices can be compromised to obtain access to more securitized professional environments.

The applications that we rely on to carry out business, similarly, tend to be used across the economy. Vulnerabilities in customer service applications, such as mobile banking applications, affect all classes of businesses, government departments, and private individuals. Also, underlying many of our commonly used programs are shared libraries, application programming interfaces (API), and random number generators (RNG); vulnerabilities such codebases are shared by all applications incorporating these pieces of code, thus prospectively endangering dozens, hundreds, or thousands of applications and systems. This sharedness of software between the public and private sector, and professional and private life, is becoming more common with the growth of common messaging, database, and storage systems, and will only become more routine over time.

Furthermore, all sectors of the economy are increasingly reliant on third-party cloud computing services to process, retain, and analyze data which is essential to business and government operations, as well as personal life. The servers powering these cloud computing infrastructures are routinely found to have serious vulnerabilities either in the code powering them or, alternately, as a result of insufficient isolation of virtual servers from one another. The result is that vulnerabilities or errors in setting up cloud infrastructures prospectively enable third-parties to inappropriately access, modify, or exfiltrate information.

In summary, the state of computer insecurity is profound. New vulnerabilities are discovered — and remediated — every day. Each week new and significant data breaches are reported on by major media outlets. And such breaches can be used to either engage in spearphishing — to obtain privileged access to information that is possessed by well-placed executives, employees, or other persons — or blackmail — as was threatened in the case of the Ashley Madison disclosures — or other nefarious activities. Vulnerabilities affecting computer security, writ large, threaten the financial sector and all other sectors of the economy, with the potential for information to be abused to the detriment of Canada’s national security interests.

Responsible Encryption Policies

Given the state of computer (in)security, it is imperative that the Government of Canada adopt and advocate for responsible encryption policies. Such policies entail commitments to preserving the right of all groups in Canada — government, private enterprises, and private individuals — to use computer software using strong encryption. Strong encryption can be loosely defined as encryption algorithms for which no weakness or vulnerability is known or has been injected, as well as computer applications that do not deliberately contain weaknesses designed to undermine the effectiveness of the aforementioned algorithms.

There have been calls in Canada,1 and by law enforcement agencies in allied countries,2 to ‘backdoor’ or otherwise weaken the protections that encryption provides. Succumbing to such calls will fundamentally endanger the security of all users of the affected computer software3 and, more broadly, threaten the security of any financial transactions which rely upon the affected applications, encryption algorithms, or software libraries.

Some of Canada’s closest allies, such as Australia, have adopted irresponsible encryption policies which run the risk of introducing systemic vulnerabilities into the software used by the financial sector, as well as other elements of the economy and government functions.4 Once introduced, these vulnerabilities might be exploited by Australian intelligence, security, or law enforcement agencies in the course of their activities but, also, by actors holding adversarial interests towards Canada or the Canadian economy. Threats activities might be carried out against the SWIFT network, as just one example.5

It is important to note that even Canada’s closest allies monitor Canadian banking information, often in excess of agreed upon surveillance mechanisms such as FINTRAC. As one example, information which was publicly disclosed by the Globe and Mail revealed that the United States of America’s National Security Agency (NSA) was monitoring Royal Bank of Canada’s Virtual Private Network (VPN) tunnels. The story suggested that the NSA’s activities could be a preliminary step in broader efforts to “identify, study and, if deemed necessary, “exploit” organizations’ internal communications networks.”6

Access to strong, uncompromised encryption technology is critical to the economy. In a technological environment marked by high financial stakes, deep interdependence, and extraordinary complexity, ensuring digital security is of critical importance and extremely difficult. Encryption helps to ensure the security of financial transactions and preserves public trust in the digital marketplace. The cost of a security breach, theft, or loss of customer or corporate data can have devastating impacts for private sector interests and individuals’ rights. Any weakening of the very systems that protect against these threats would represent irresponsible policymaking. Access to strong encryption encourages consumer confidence that the technology they use is safe.

Given the aforementioned threats, I ​recommend​ that the Government of Canada adopt a responsible encryption policy. Such a policy would entail a firm and perhaps legislative commitment to require that all sectors of the economy have access to strong encryption products, and would stand in opposition to irresponsible encryption policies, such as those calling for ‘backdoors’.

Vulnerabilities Equities Program

The Canadian government presently has a process in place, whereby the Communications Security Establishment (CSE) obtains computer vulnerabilities and ascertains whether to retain them or disclose them to private companies or software maintainers to remediate the vulnerabilities. The CSE is motivated to retain vulnerabilities to obtain access to foreign systems as part of its signals intelligence mandate and, also, to disclose certain vulnerabilities to better secure government systems. To date, the CSE has declined to make public the specific process by which it weighs the equities in retaining or disclosing these vulnerabilities.7 It remains unclear if other government agencies have their own equities processes. The Canadian government’s current policy stands in contrast to that of the United States of America, where the White House has published how all federal government agencies evaluate whether or retain or disclose the existence of a vulnerability.8

When agencies such as the CSE keep discovered vulnerabilities secret to later use them against specific targets, the unpatched vulnerabilities leave critical systems open to exploitation by other malicious actors who discover them. Vulnerability stockpiles kept by our agencies can be uncovered and used by adversaries. The NSA’s and Central Intelligence Agency’s (CIA) vulnerabilities have been leaked in recent years,9 with one of the NSA vulnerabilities used by malicious actors to cause at least $10B in commercial harm.10

As it stands, it is not clear what considerations guide Canada’s intelligence agencies’ decision-making process when they decide whether to keep a discovered vulnerability for future use or to disclose it so that it is fixed. There is also no indication that potentially impacted entities such as private companies or civil society organizations are involved in the decision-making process.

To reassure Canadian businesses, and make evident that Canadian intelligence and security agencies are not retaining vulnerabilities which could be used by non-government actors to endanger Canada’s financial sector by way of exploiting such vulnerabilities, I would ​recommend​ that the Government of Canada publicize its existing vulnerabilities equities program(s) and hold consultations on its effectiveness in protecting Canadian software and hardware that is used in the course of financial activities, amongst other economic activities.

Furthermore, I would ​recommend​ that the Government of Canada include the business community and civil society stakeholders in the existing, or reformed, vulnerabilities equities program. Such stakeholders would be able to identify the risks of retaining certain vulnerabilities for the Canadian economy, such as prospectively facilitating ransomware, data deletion, data modification, identify theft for commercial or espionage purposes, or data access and exfiltration to the advantage of other nation-states’ advantage.

Vulnerability Disclosure Programs

Security researchers routinely discover vulnerabilities in systems and software that are used in all walks of life, including in the financial sector. Such vulnerabilities can, in some cases, be used to inappropriately obtain access to data, modify data, exfiltrate data, or otherwise tamper with computer systems in ways which are detrimental to the parties controlling the systems and associated computer information. Relatively few organizations, however, have explicit procedures that guide researchers in how to responsibly disclose such vulnerabilities to the affected companies. Disclosing vulnerabilities absent a disclosure program can lead companies to inappropriately threaten litigation to whitehat security researchers, and such potentials reduce the willingness of researchers to disclose vulnerabilities absent a vulnerability disclosure program.11

Responsible disclosure of vulnerabilities typically involves the following. First, companies make clear to whom vulnerabilities can be reported, assure researchers they will not be legally threatened for disclosing vulnerabilities, and explains the approximate period of time a company will take to remediate the vulnerability reported. Second, researchers commit to not publicly disclosing the vulnerability until either a certain period of time (e.g. 30-90 days) have elapsed since the reporting, or until the vulnerability is patched, whichever event occurs once. The delimitation of a time period before the vulnerability is publicly reported is designed to encourage companies to quickly remediate reported vulnerabilities, as opposed to waiting for excessive periods of time before doing so.

I would ​recommend​ that the Government of Canada undertake, first, to establish a draft policy that financial sector companies, along with other sector companies, could adopt and which would establish the terms under which computer security researchers could report vulnerabilities to financial sector companies. Such a disclosure policy should establish to whom vulnerabilities are reported, how reports are treated internally, how long it will take for a vulnerability to be remediated, and insulate the security researchers from legal liability so long as they do not publicly disclose the vulnerability ahead of the established delimited period of time.

I would also ​recommend​ that the Government of Canada ultimately move to mandate the adoption of vulnerability disclosure programs for its own departments given that they could be targeted by adversaries for the purposes of financially advantaging themselves to Canada’s detriment. Such policies have been adopted by the United States of America’s Department of Defense12 and explored by the State Departments,13 to the effect of having hundreds of vulnerabilities reported and subsequently remediated. Encouraging persons to report vulnerabilities to the Government of Canada will reduce the likelihood that the government’s own infrastructures are successfully exploited to the detriment of Canada’s national interests.

Finally, I would ​recommend​ that our laws around unauthorized access be studied with an eye towards determining if they are too broad in their chill and impact on legitimate security researcher.

Two Factor Authentication Processes

Login and password pairs are routinely exfiltrated from private companies’ databases. Given that many individuals either use the same pair across multiple services (e.g. for social media as well as for professional accounts) and, also, that many passwords are trivially guessed, it is imperative that private companies’ online accounts incorporate two factor authentication (2FA). 2FA refers to a situation where an individual must be in possession of at least two ‘factors’ to obtain access to their accounts. The ‘factors’ most typically used for authentication include something that you know (e.g. a PIN or password), something you have (e.g. hardware token or random token generator), or something that you are (biometric, e.g. fingerprint or iris scan).14

While many financial sector companies use 2FA before employees can obtain access to their professional systems, the same is less commonly true of customer-facing login systems. It is important for these latter systems to also have strong 2FA to preclude unauthorized third-parties from obtaining access to personal financial accounts; such access can lead to better understandings of whether persons could be targeted by a foreign adversary for espionage recruitment, cause personal financial chaos (e.g. transferring monies to a third-party, cancelling automated bill payments, etc) designed to distract a person while a separate cyber activity is undertaken (e.g. distract a systems administrator to deal with personal financial activities, while then attempting to penetrate sensitive systems or accounts the individual administrates), or direct money to parties on terrorist watchlists.

Some Canadian financial institutions do offer 2FA but typically default to a weak mode of second factor authentication. This is problematic because SMS is a weak communications medium, and can be easily subverted by a variety of means.15 This is why entities such as the United States’ National Institute of Standards and Technology no longer recommends SMS as a two factor authentication channel.16

To improve the security of customer-facing accounts, I ​recommend​ that financial institutions should be required to offer 2FA to all clients and, furthermore, that such authentication utilize hardware or software tokens (e.g. one time password or random token generators). Implementing this recommendation will reduce the likelihood that unauthorized parties will obtain access to accounts for the purposes of recruitment or disruption activities.

Organizational Information

The views I have presented are my own and based out of research that I and my colleagues have carried out at my place of employment, the Citizen Lab. The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.

We use a “mixed methods” approach to research combining practices from political science, law, computer science, and area studies. Our research includes: investigating digital espionage against civil society, documenting Internet filtering and other technologies and practices that impact freedom of expression online, analyzing privacy, security, and information controls of popular applications, and examining transparency and accountability mechanisms relevant to the relationship between corporations and state agencies regarding personal data and other surveillance activities.

1 RCMP’s ability to police digital realm ‘rapidly declining,’ commissioner warned, https://www.cbc.ca/news/politics/lucki-briefing-binde-cybercrime-1.4831340.2 In the dark about ‘going dark’, https://www.cyberscoop.com/fbi-going-dark-encryption-ari-schwartz-op-ed/.3 See: Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications, https://dspace.mit.edu/handle/1721.1/97690; Shining A Light On The Encryption Debate: A Canadian Field Guide, https://citizenlab.ca/2018/05/shining-light-on-encryption-debate-canadian-field-guide/.4 Civil Society Letter to Australian Government, February 21, 2019, https://newamericadotorg.s3.amazonaws.com/documents/Coalition_comments_Australia_Assistance_and_Access_Law_2018_Feb_21_2019.pdf;
Australia’s Encryption Law Deals a Serious Blow to Privacy and Security, https://nationalinterest.org/feature/australia’s-encryption-law-deals-serious-blow-privacy-and-security-39212.5 That Insane, $81M Bangladesh Bank Heist? Here’s What We Know, https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/.6 NSA trying to map Rogers, RBC communications traffic, leak shows, https://www.theglobeandmail.com/news/national/nsa-trying-to-map-rogers-rbc-communications-traffic-leak- shows/article23491118/.7 When do Canadian spies disclose the software flaws they find? There’s a policy, but few details, https://www.cbc.ca/news/technology/canada-cse-spies-zero-day-software-vulnerabilities-1.4276007.8 Vulnerabilities Equities Policy and Process for the United States Government (November 15, 2017), https://www.whitehouse.gov/sites/whitehouse.gov/files/images/External%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF.9 Who Are the Shadow Brokers?, https://www.theatlantic.com/technology/archive/2017/05/shadow-brokers/527778/; WikiLeaks Starts Releasing Source Code For Alleged CIA Spying Tools, https://motherboard.vice.com/en_us/article/qv3xxm/wikileaks-vault-7-vault-8-cia-source-code.10 The Untold Story of NotPetya, the Most Devastating Cyberattack in History, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.11 Vulnerability Disclosure Policies (VDP): Guidance for Financial Services, https://www.hackerone.com/sites/default/files/2018-07/VDP%20for%20Financial%20Services_Guide%20%281%29.pdf.12 The Department of Defense wants more people to ‘hack the Pentagon’ — and is willing to pay them too, https://www.businessinsider.com/department-defense-wants-people-hack-pentagon-2018-10; DoD Vulnerability Disclosure Policy, https://hackerone.com/deptofdefense.13 House panel approves bill to ‘hack’ the State Department, https://thehill.com/policy/cybersecurity/386897-house-panel-approves-bill-to-hack-the-state-department.14 Office of the Privacy Commissioner of Canada Privacy Tech-Know Blog – Your Identity: Ways services can robustly authenticate you, https://www.priv.gc.ca/en/blog/20170105/.15 Cybercriminals intercept codes used for banking to empty your accounts, https://www.kaspersky.com/blog/ss7-hacked/25529/; AT&T gets sued over two-factor security flaws and $23M cryptocurrency theft, https://www.fastcompany.com/90219499/att-gets-sued-over-two-factor-security-flaws-and-23m-cryptocurrency-theft.16 Standards body warned SMS 2FA is insecure and nobody listened, https://www.theregister.co.uk/2016/12/06/2fa_missed_warning/.

I have a new draft paper that outlines why the Canadian government should develop, and publish, the guidelines it uses when determining whether to acquire, use, or disclose computer- and computer-system vulnerabilities. At its crux, the paper argues that an accountability system was developed in the 1970s based on the intrusiveness of government wiretaps and that state-used malware is just as, if not more so, intrusive. Government agencies should be held to at least as high a standard, today, as they were forty years ago (and, arguably, an even higher one today than in the past). It’s important to recognize that while the paper argues for a focus on defensive cybersecurity — disclosing vulnerabilities as a default in order to enhance the general security of all Canadians and residents of Canada, as well as to improve the security of all government of Canada institutions — it recognizes that some vulnerabilities may be retained to achieve a limited subset of investigative and intelligence operations. As such, the paper does not rule out the use of malware by state actors but, instead, seeks to restrict the use of such malware while also drawing its use into a publicly visible accountability regime.

I’m very receptive to comments on this paper and will seek to incorporate feedback before sending the paper to an appropriate journal around mid-December.

Abstract:

Computer security vulnerabilities can be exploited by unauthorized parties to affect targeted systems contrary to the preferences their owner or controller. Companies routinely issue patches to remediate the vulnerabilities after learning that the vulnerabilities exist. However, these flaws are sometimes obtained, used, and kept secret by government actors, who assert that revealing vulnerabilities would undermine intelligence, security, or law enforcement operations. This paper argues that a publicly visible accountability regime is needed to control the discovery, purchase, use, and reporting of computer exploits by Canadian government actors for two reasons. First, because when utilized by Canadian state actors the vulnerabilities could be leveraged to deeply intrude into the private lives of citizens, and legislative precedent indicates that such intrusions should be carefully regulated so that the legislature can hold the government to account. Second, because the vulnerabilities underlying any exploits could be discovered or used by a range of hostile operators to subsequently threaten Canadian citizens’ and residents’ of Canada personal security or the integrity of democratic institutions. On these bases, it is of high importance that the government of Canada formally develop, publish, and act according to an accountability regime that would regulate its agencies’ exploitation of computer vulnerabilities.

Parsons, Christopher. (2015). “Stuck on the Agenda: Drawing lessons from the stagnation of ‘lawful access’ legislation in Canada,” Michael Geist (ed.), Law, Privacy and Surveillance in Canada in the Post-Snowden Era (Ottawa University Press).

Parsons, Christopher. (2015). “Beyond the ATIP: New methods for interrogating state surveillance,” in Jamie Brownlee and Kevin Walby (Eds.), Access to Information and Social Justice (Arbeiter Ring Publishing).

Bennett, Colin, and Parsons, Christopher. (2013). “Privacy and Surveillance: The Multi-Disciplinary Literature on the Capture, Use, and Disclosure of Personal information in Cyberspace” in W. Dutton (Ed.), Oxford Handbook of Internet Studies.

McPhail, Brenda; Parsons, Christopher; Ferenbok, Joseph; Smith, Karen; and Clement, Andrew. (2013). “Identifying Canadians at the Border: ePassports and the 9/11 legacy,” in Canadian Journal of Law and Society 27(3).

Parsons, Christopher; Savirimuthu, Joseph; Wipond, Rob; McArthur, Kevin. (2012). “ANPR: Code and Rhetorics of Compliance,” in European Journal of Law and Technology 3(3).